Out-Law News 2 min. read
14 Mar 2013, 10:54 am
Genesco said that Visa "wrongfully imposed" fines and "issuer reimbursement assessments" totalling $13,298,900.16 after it had suffered a "sophisticated cybercrime attack".
Visa had imposed the penalties on two banks Genesco had used for helping to facilitate Visa card payments in its store, but under the terms of the indemnifications Genesco had formed with those banks, the company was forced to pay the banks the money they had been ordered to pay Visa.
However, Genesco has challenged Visa's penalties (49-page / 4.67MB PDF) and said the company acted in breach of contract and of the law by imposing the fines it did.
Genesco had agreed to comply with Payment Card Industry Data Security Standards (PCI DSS) as part of the agreements it had formed with the two banks for facilitation of Visa card payments. PCI DSS is the main standard related to storing payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions.
The company admitted that hackers had planted malware on its systems in a bid to obtain unencrypted payment card data whilst the data was in transit through the company's computer network for fraudulent purposes. Genesco said, though, that the hackers had not targeted or managed to obtain access to "any stored payment card account information" located on its computer systems.
However, Genesco has claimed that Visa sent alerts to the network of banks it uses to help facilitate payments to inform them that every one of the Visa cards Genesco had processed during a period spanning nearly a year had been compromised. Genesco said that Visa had issued the alerts despite there being evidence that some of the alerted accounts were not compromised and although there was no "forensic evidence" to support the view that the remainder of the alerted accounts were either.
Genesco also said that Visa had failed to act in accordance with its own rules governing how fines and penalties assessments are to be made and that, even if it is ruled that it did, those rules are "unenforceable". It has claimed Visa has acted in breach of Californian laws on unfair business practices.
Visa had "no reasonable basis" to deem that Genesco had failed to comply with the PCI DSS rules, it said. The payment card company also acted in breach of its contract with the two banks Genesco used to facilitate in-store Visa payments by imposing penalties on them, the retailer added.
"By reason of Visa's wrongful imposition and collection of the [penalties] ... Visa now possesses funds that ultimately and rightful belong to Genesco," the retailer said in its compliant court papers, originally published by Wired. "To allow Visa to retain such funds when Visa has no right to such funds would go against principles of right, justice and morality. Genesco is accordingly owed the amounts wrongfully imposed and collected by Visa and in turn indemnified by Genesco."
"In the alternative, Visa was unjustly enriched by its actions ... [and] Visa [should be required to] make restitution to Genesco of the amounts by which Visa has been unjustly enriched at Genesco's expense," it added. "Genesco is entitled to money damages and restitution by reason of Visa's improper collection and continued withholding of the [penalties it imposed] - in the alternative, be reason of Visa's unjust enrichment - in an amount ... not less than ... $13,298,900.16 together with any amounts incidental to the [penalties] that Visa has imposed."